Beruflich Dokumente
Kultur Dokumente
2 Administration Guide
Contents
Management Overview.............................................................................................5
Overview of Eucalyptus........................................................................................................................................5
Accessing Eucalyptus............................................................................................................................................5
Command Line Interface...........................................................................................................................5
Eucalyptus Administrator Console Overview...........................................................................................5
Manage Access.........................................................................................................27
Access Overview.................................................................................................................................................27
Access Concepts......................................................................................................................................27
Policy Overview......................................................................................................................................29
LDAP/AD Integration.............................................................................................................................37
Access Tasks........................................................................................................................................................44
Use Case: Create an Administrator.........................................................................................................45
Use Case: Create a User..........................................................................................................................46
Eucalyptus | Contents | 3
Accounts..................................................................................................................................................47
Groups.....................................................................................................................................................50
Users........................................................................................................................................................54
Credentials...............................................................................................................................................58
Synchronize LDAP/AD...........................................................................................................................59
Manage Resources...................................................................................................61
Manage Compute Resources...............................................................................................................................61
Manage Walrus Resources...................................................................................................................................61
Manage IAM Resources......................................................................................................................................61
Manage CloudWatch Resources..........................................................................................................................63
Manage ELB Resources......................................................................................................................................63
Manage Auto Scaling Resources.........................................................................................................................64
Manage Security......................................................................................................65
Security Overview...............................................................................................................................................65
Best Practices......................................................................................................................................................65
Network and Message Security...............................................................................................................65
Authentication and Access Control.........................................................................................................66
Hosts........................................................................................................................................................66
Images and Instances...............................................................................................................................67
User Console...........................................................................................................................................67
LDAP Security........................................................................................................................................68
Tasks....................................................................................................................................................................69
Congifure Managed Mode.......................................................................................................................69
Configure SSL.........................................................................................................................................69
Synchronize Components........................................................................................................................72
Configure Replay Protection...................................................................................................................72
Reserve Ports...........................................................................................................................................73
Configure the Firewall.............................................................................................................................74
Configure Session Timeouts....................................................................................................................75
Configure LDAP.....................................................................................................................................75
Manage Reporting...................................................................................................76
Reporting Overview............................................................................................................................................76
Instance Report........................................................................................................................................76
S3 Report.................................................................................................................................................77
Volume Report.........................................................................................................................................77
Snapshot Report......................................................................................................................................77
Elastic IP Report......................................................................................................................................78
Capacity Report.......................................................................................................................................78
Reporting Best Practices.....................................................................................................................................78
Reporting Tasks...................................................................................................................................................79
Eucalyptus | Contents | 4
Eucalyptus Commands...........................................................................................82
Eucalyptus Administration Commands...............................................................................................................82
euca_conf.................................................................................................................................................82
euca-describe-properties..........................................................................................................................84
euca-modify-property..............................................................................................................................85
euca-describe-services.............................................................................................................................86
Eucalyptus Report Commands............................................................................................................................87
Reports Commands: CLC.......................................................................................................................87
Report Commands: Data Warehouse.......................................................................................................91
Modifiable Eucalyptus Properties.......................................................................................................................94
Management Overview
The section shows you how to access Eucalyptus with a web-based console and with command line tools. This section
also describes how to perform common management tasks.
This document is intended to be a reference. You do not need to read it in order, unless you are following the directions
for a particular task.
Overview of Eucalyptus
Eucalyptus is a Linux-based software architecture that implements scalable, efficiency-enhancing private and hybrid
clouds within an enterprises existing IT infrastructure. Because Eucalyptus provides Infrastructure as a Service (IaaS),
you can provision your own resources (hardware, storage, and network) through Eucalyptus on an as-needed basis.
A Eucalyptus cloud is deployed across your enterprise's on-premise data center. As a result, your organization has a full
control of the cloud infrastructure. You can implement and enforce various level of security. Sensitive data managed
by the cloud does not have to leave your enterprise boundaries, keeping data completely protected from external access
by your enterprise firewall.
Eucalyptus was designed from the ground up to be easy to install and non-intrusive. The software framework is modular,
with industry-standard, language-agnostic communication. Eucalyptus is also unique in that it provides a virtual network
overlay that isolates network traffic of different users as well as allows two or more clusters to appear to belong to the
same Local Area Network (LAN).
Eucalyptus also is compatible with Amazons EC2, S3, and IAM services. This offers you hybrid cloud capability.
Accessing Eucalyptus
There are two ways to interact with Eucalyptus. You can use the administrative command line interface for making
requests to Eucalyptus, or you can use the web-based user interface, called the Eucalyptus Administrator Console.
Tip: This guide will show both CLI and Eucalyptus Administrator Console steps for performing a task, when
the task can be performed by both methods.
The Eucalyptus Administrator Console provides Quick Links for standard administrative actions and queries. These
links, located on the left side of the screen, provide a convenient way to navigate through the Eucalyptus Administrator
Console. For example, if you click Accounts, the Eucalyptus Administrator Console displays the Accounts page, listing
all accounts in your system. Any property of a link, e.g., an account ID, displays on the right side of the screen as a link.
For more experienced users, the Eucalyptus Administrator Console provides a robust search engine. You can search for
information or tasks quickly by building your own search. Because the Eucalyptus Administrator Console is search-based,
even the Quick Links and other returned URLs from searches are themselves searches. Because each link is search,
any Eucalyptus Administrator Console link you bookmark is also a search.
So the Eucalyptus Administrator Console offers you two ways to get information: by search or by following links. To
show the member users of an account, you can click Accounts in quick links, select the account, and then click on the
Member users link in the Properties section. Or, you use the Search box and type:
user:account=<account_name>.
<user_name>@<account_name>
Click the profile name to display the user profile menu. The menu provides the following functions:
View/change profile: Displays the search result of the current user. In the search result page, you
can view or change your identitys profile.
View access key: Displays the search result of the current users access key.
Change password: Displays a dialog to change password.
Download new credentials: Downloads the current users credential package in a zip file.
Quick Links The left side of the Eucalyptus Administrator Console screen contains the Quick Links area. This area
provides links to various contents of the Eucalyptus Administrator Console.
The Quick Links area is organized into sections made up of two levels. The top level is a heading for
that section. Under each heading is a second section that contains a list of links. Each link is a search
query in the form of the URL. Click a link to return the associated search result. For example, Your
Keys is a search query of all the access keys belonging to you.
You can hide the Quick Links area by clicking the arrow of the vertical separator between Quick Links
and the main content area.
Main The center part of the main screen displays the main content, usually the search result list. In many
Content content displays, the Eucalyptus Administrator Console displays a toolbar that contains action buttons.
The bottom of the content area provides the page navigation controls.
The search result list usually has multiple columns, some of which are sortable. Click the title in the
column to sort the column display. If the list is too long, the Eucalyptus Administrator Console partitions
the list into multiple pages. By default, each page displays a maximum of 25 rows, but you can configure
this number.
.
When you select an item in the main content area, the Eucalyptus Administrator Console highlights the
entire row and displays the Properties area. To select multiple items, use the Ctrl key for individual
items, or the Shift key for a continuous block of items.
Properties The Properties area displays the detailed information about a selected search result item. The properties
are displayed in two columns: the property name is on the left, and the property value is on the right.
Working with the Properties area:
The Eucalyptus Administrator Console displays values of editable properties in a white input box.
If you make any changes to value, the Eucalyptus Administrator Console displays the Save button
at the bottom. Click this button to save any changed values.
Some properties are of complex types. For example, the list of member users of an account. In these
cases, the property names are displayed in hyperlinks with a magnifying glass icon. These hyperlinks
invoke a search query.
Other properties display an "action" icon. For example, Password displays a pencil icon. Click that
icon to change the password.
The Eucalyptus Administrator Console allows you to customize the displayed information in
Properties. Click the plus icon to add a new property to the display. Click the minus icon to delete
a property from the display.
Click the X next to the Properties title to hide the area.
Status The bar at the bottom of the main screen shows system status messages, log window toggle button and
the software version (from left to right).
Logs Click the LOG button on the status bar to pop up the log window. The log window records important
dashboard events, especially any operations that modify system states, e.g. adding a new account, etc.
The log windows records the latest 1024 log messages.
Using Search
This section details the Search function in the Eucalyptus Administrator Console.
Experienced users can use search box to get any information provided by the dashboard. The basic syntax of a search
is as follows:
<type>: <field1>=<value1>,<value2>
<field2>=<value1>,<value2>
The <type> specifies the information type provided by the Eucalyptus Administrator Console. Currently Eucalyptus
supports the following types:
Note: In the table, the field names in bold font means that for that field, the query evaluator does a partial match
for the value.
The minimal search query contains the type name and a colon. For example, to display the Start Guide page, you would
enter:
start:
After the colon, you enter a list of conditions, if any are accepted by the type name. Each condition has a field name
and a list of values. The field name and values are separated by an equal sign. There is no space between the field name
and value. Separate values with a comma, and don't include a space. Separate multiple conditions with a space.
To evaluate the search query, all conditions must be satisfied. For each condition, only one of the value for the field
needs to be matched. For example, to find all users in the accounts whose names contain "testaccount", and whose user
names contain "user1" or "user2", and who are enabled, enter the following:
After entering a search query in the search box in the header area of the main screen, press the Enter key. The search
result displays in the content area. The browser URL will also change to reflect the search. Actually, the search query
itself is part of the URL (after the pound sign). For example:
https://localhost:8443/#account:name=test
In fact, you can type a search directly in the URL box of the browser. But remember that the URL itself is URL encoded.
This also enables Eucalyptus to construct a search URL and add to any web page.
Cloud Overview
This topic presents an overview of the components in Eucalyptus.
Eucalyptus is comprised of six components: Cloud Controller, Walrus, Cluster Controller, Storage Controller, Node
Controller, and an optional VMWare Broker. Each component is a stand-alone web service. This architecture allows
Eucalyptus both to expose each web service as a well-defined, language-agnostic API, and to support existing web
service standards for secure communication between its components.
Cloud The Cloud Controller (CLC) is the entry-point into the cloud for administrators, developers, project
Controller managers, and end-users. The CLC queries other components for information about resources, makes
high-level scheduling decisions, and makes requests to the Cluster Controllers (CCs). As the interface
to the management platform, the CLC is responsible for exposing and managing the underlying
virtualized resources (servers, network, and storage). You can access the CLC through command
line tools that are compatible with Amazons Elastic Compute Cloud (EC2) and through a web-based
Eucalyptus Administrator Console.
Walrus Walrus allows users to store persistent data, organized as buckets and objects. You can use Walrus
to create, delete, and list buckets, or to put, get, and delete objects, or to set access control policies.
Walrus is interface compatible with Amazons Simple Storage Service (S3). It provides a mechanism
for storing and accessing virtual machine images and user data. Walrus can be accessed by end-users,
whether the user is running a client from outside the cloud or from a virtual machine instance running
inside the cloud.
Cluster The Cluster Controller (CC) generally executes on a machine that has network connectivity to both
Controller the machines running the Node Controller (NC) and to the machine running the CLC. CCs gather
information about a set of NCs and schedules virtual machine (VM) execution on specific NCs. The
CC also manages the virtual machine networks. All NCs associated with a single CC must be in the
same subnet.
Storage The Storage Controller (SC) provides functionality similar to the Amazon Elastic Block Store (Amazon
Controller EBS). The SC is capable of interfacing with various storage systems (NFS, iSCSI, SAN devices,
etc.). Elastic block storage exports storage volumes that can be attached by a VM and mounted or
accessed as a raw block device. EBS volumes persist past VM termination and are commonly used
to store persistent data. An EBS volume cannot be shared between VMs and can only be accessed
within the same availability zone in which the VM is running. Users can create snapshots from EBS
volumes. Snapshots are stored in Walrus and made available across availability zones. Eucalyptus
with SAN support lets you use your enterprise-grade SAN devices to host EBS storage within a
Eucalyptus cloud.
Node The Node Controller (NC) executes on any machine that hosts VM instances. The NC controls VM
Controller activities, including the execution, inspection, and termination of VM instances. It also fetches and
maintains a local cache of instance images, and it queries and controls the system software (host OS
and the hypervisor) in response to queries and control requests from the CC. The NC is also responsible
for the management of the virtual network endpoint.
VMware VMware Broker (Broker or VB) is an optional Eucalyptus component activated only in versions of
Broker Eucalyptus with VMware support. Broker enables Eucalyptus to deploy virtual machines (VMs) on
VMware infrastructure elements. Broker mediates all interactions between the CC and VMware
hypervisors (ESX/ESXi) either directly or through VMware vCenter. For more information about
working with vSphere Server, see Working with vSphere.
VNET_NETMASK="255.255.0.0"
VNET_ADDRESSPERNET="32"
VNET_BRIDGE On an NC, this is the name of the bridge interface to which Static
instances' network interfaces should attach. A physical
System
interface that can reach the CC must be attached to this
bridge. Common setting for KVM is br0. Managed (No
VLAN)
VNET_BROADCAST, VNET_ROUTER The network broadcast and default gateway to supply to Static
instances in DHCP responses.
VNET_DHCPUSER The user the DHCP daemon runs as on your distribution. Static
For CentOS 6 and RHEL 6, this is typically root.
Managed
Default: dhcpd
Managed (No
VLAN)
VNET_MACPREFIX This option is used to specify a prefix for MAC addresses System,
generated by Eucalyptus for VM instances. The prefix has Managed,
to be in the form HH:HH where H is a hexadecimal digit. Managed (No
Example: VNET_MACPREFIX="D0:D0" VLAN)
VNET_MODE The networking mode in which to run. The same mode All
must be specified on all CCs and NCs in your cloud.
Valid values: STATIC, SYSTEM, MANAGED,
MANAGED-NOVLAN,
Default: SYSTEM
VNET_PRIVINTERFACE The name of the network interface that is on the same Static
network as the NCs. In Managed and Managed (No VLAN)
Managed
modes this must be a bridge for instances in different
clusters but in the same security group to be able to reach
one another with their private addresses.
Default: eth0
VNET_PUBINTERFACE On a CC, this is the name of the network interface that is Managed
connected to the public network.
Managed
On an NC, this is the name of the network interface that (No-VLAN)
is connected to the same network as the CC. Depending
on the hypervisor's configuration this may be a bridge or
a physical interface that is attached to the bridge.
Default: eth0
VNET_PUBLICIPS=
"173.205.188.140-173.205.188.254"
VNET_SUBNET, VNET_NETMASK These options control the internal private network used by Static, Managed,
instances within Eucalyptus. Eucalyptus assigns a distinct Managed (No
subnet of private IP addresses to each security group. This VLAN)
setting dictates how many addresses each of these subnets
should contain. Specify a power of 2 between 16 and 2048.
This is directly related, though not equal, to the number of
instances that can reside in each security group. Eucalyptus
reserves eleven addresses per security group.
Changing vCenter or ESX(i) host settings that do not interfere with ongoing sessions and operations. For instance,
a license on a host utilized by Eucalyptus may be changed as long as the host remains operational.
Changing of vCenter ID or Name (see below regarding the change of IP address).
Actions that may be performed when Eucalyptus is not active (specifically, when the VMware Broker
is shut down):
Deleting the templates (VMs whose names start with 'emi-'). Those will be recreated if needed, albeit at the cost of
additional instance start-up delay. To control the space used by and the number of templates, use VMware Broker's
configuration properties vmwarebroker.vsphere_cache_limit_bytes and vmwarebroker.vsphere_cache_max_elements.
Managing roles and permissions for Eucalyptus-managed resources, as long as new roles, if any, are reflected in
VMware Broker configuration (see 'login' parameter) and as long as no Eucalyptus-created running VMs are taken
out of Eucalyptus's control.
vCenter IP address may be changed as long as VMware Broker's configuration is modified accordingly. IP addresses
of ESX hosts may be changed as long as there are no running Eucalyptus VMs on the host (furthermore, a change
of IP address may require adjustment of configuration unless the host can be discovered).
euca-modify-property -p
bootstrap.webservices.clock_skew_sec=<new_value_in_seconds>
For additional protection from the message replay attacks, the CLC implements a replay detection algorithm and rejects
messages with the same signatures received within 15 minutes.
Important: To protect against replay attacks, the CLC only caches messages for 15 minutes. So its important
that any client tools used to interact with the CLC have the Expires element set to a value less than 15 minutes
from the current time. This is usually not an issue with standard tools, such as euca2ools and Amazon EC2 API
Tools.
You can configure replay detection in the CLC to allow replays of the same message for a set time period. This might
be needed to ensure that legitimate requests submitted by automated scripts closely together (such as two requests to
describe instances issued within the same second) are not rejected as malicious. The time within which messages with
euca-modify-property -p
bootstrap.webservices.replay_skew_window_sec=<new_value_in_seconds>
If you set this property to 0, Eucalyptus will not allow any message replays. This setting provides the best protection
against message replay attacks, but may break some of the client-side scripts that issue commands too quickly.
If you set this property to any value greater than 15 minutes plus the values of ws.clock_skew_sec (that is, to a value
>= 920 sec in the default installation), Eucalyptus disables replay detection completely.
Configure SSL
In order to connect to Eucalyptus using SSL, you must have a valid certificate for the Cloud Controller (CLC). You
must also be running the Cloud Controller and Cluster Controller (CC) on separate machines.
Create a keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, use the following
command to convert your trusted certificate and key into an appropriate format:
Note: this command will request an export password, which is used in the following steps.
Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12, and then import your
keystore into the Eucalyptus keystore as follows:
keytool -importkeystore \
-srckeystore tmp.p12 -srcstoretype pkcs12 -srcstorepass [export_password] \
-destkeystore /var/lib/eucalyptus/keys/euca.p12 -deststoretype pkcs12 \
-deststorepass eucalyptus -alias [key_alias] \
-srckeypass [export_password] -destkeypass [export_password]
euca-modify-property -p bootstrap.webservices.ssl.server_alias=[key_alias]
euca-modify-property -p \
bootstrap.webservices.ssl.server_password=[export_password]
Optional: Configure the Cloud Controller and Walrus to redirect requests on port 443 to port 8773
The Cloud Controller and Walrus listen for both SSL and non-SSL connections on port 8773. If you have other tools
that expect to speak SSL on port 443, you should forward requests on that port to port 8773. For example, the following
iptables command can be used:
High Availability
This topic explains recommendations for high availability deployments.
High availability is the result of the combination of functionality provided by Eucalyptus and the environmental and
operational support to maintain the constituent systems's proper operation. Eucalyptus provides functionality aimed at
enabling highly available operation:
Detection of service faults and monitoring of system health: gather service status, determine current service topology,
admit requests which can be satisfied using only healthy services in that topology
Tools for interrogating the system's health: access to service state information
Error gathering to aid in determining the cause: access to fault information as it impacts service function
Automated failover when redundant services are configured: removal of faulty services and enabling of healthy
services
Service state control: ability to remove individual component-services (when configured with HA pair) from operation
without disrupting service
Replacement/restoration of component-services: procedures for restoring/replacing a component service after a
total-loss failure (e.g., disk failure, host combustion, etc.)
In addition to previously detailed deployment recommendations, delivering highly available services with Eucalyptus
depends on appropriate operational and maintenance support. The following sections detail the related system functionality
and procedures.
The following diagram indicates the set of relevant states and transitions between them. Black arrows indicate a transition
between states that is initiated by the system or an administrator request. Red errors indicate a failure to transition into
the originating state that results in a transition to the destination error state.
Storage Volumes
Eucalyptus manages storage volumes for your private cloud. Volume management strategies are application specific,
but this topic includes some general guidelines.
When setting up your Storage Controller, consider whether performance (bandwidth and latency of read/write operations)
or availability is more important for your application. For example, using several smaller volumes will allow snapshots
to be taken on a rolling basis, decreasing each snapshot creation time and potentially making restore operations faster
if the restore can be isolated to a single volume. However, a single larger volume allows for faster read/write operations
from the VM to the storage volume.
An appropriate network configuration is an important part of optimizing the performance of your storage volumes. For
best performance, each Node Controller should be connected to a distinct storage network that enables the NC to
communicate with the SC or SAN, without interfering with normal NC/VM-instance network traffic.
Eucalyptus includes configurable limits on the size of a single volume, as well as the aggregate size of all volumes on
an SC. The SC can push snapshots from the SAN device, where the volumes reside, to Walrus, where the snapshots
become available across multiple clusters. Smaller volumes will be much faster to snapshot and transfer, whereas large
volumes will take longer. However, if many concurrent snapshot requests are sent to the SC, operations may take longer
to complete.
Although an SC can manage an arbitrary number of volumes, intermittent issues have been reported with some hypervisors
when attaching more than 16 volumes to a single NC. Where possible, limiting the number of volumes to no more than
16 per NC is advisable.
EBS volumes are created from snapshots on the SC or SAN, after the snapshot has been downloaded from Walrus to
the device. Creating an EBS volume from a snapshot on the same cluster as the source volume of the snapshot will
reduce delays caused by having to transfer snapshots from Walrus.
# Set this to make the CC cache images, kernels and ramdisks. NCs must
# be able to reach the CC with the specified value.
CC_IMAGE_PROXY="192.168.0.100"
# Set this to the location where the CC image proxy should store cached
# images. The default is /var/lib/eucalyptus/dynserv/
CC_IMAGE_PROXY_PATH="/disk1/storage/cc_cache"
# Set this to the maximum size (in megabytes) of the CC image proxy cache.
# The default is 32768, or 32 gigabytes.
CC_IMAGE_PROXY_CACHE_SIZE="32768"
2. Create a data directory at the location specified in CC_IMAGE_PROXY_PATH, and give the eucalyptus user full
access to the directory.
mkdir -p /disk1/storage/cc_cache/data
chmod -R 777 /disk1/storage/cc_cache
Cloud Tasks
This section contains a listing of your Eucalyptus cloud-related tasks.
Heartbeat Service
http://CLCIPADDRESS:8773/services/Heartbeat provides a list of components and their respective
statuses. This allows you to find out if a service is enabled without requiring cloud credentials.
eucalyptus-cloud stop
eucalyptus-cc stop
If, for example, you have SCs that are correctly configured and operating in HA mode. However, you
want to shut down the primary SC for maintenance. The primary SC is SC00 and the secondary SC
is SC01. SC00 is ENABLED and SC01 is DISABLED.
To stop SC00 and cause SC01 to take over, you would enter the following command on SC00:
eucalyptus-cloud stop
euca-describe-services
When SC01 starts, the eucalyptus-cloud process on the host that SC00 is shutdown and maintenance
tasks can be performed. When maintenance is complete, you can start the eucalyptus-cloud process
on SC00. SC00 will enter the DISABLED state by default. You can chose to let SC01 continue to
be the primary and SC00 will be the secondary.
If you want to designate SC00 as the primary, make sure no volumes or snapshots are being created
and that no volumes are being attached or detached, and then enter on SC01:
eucalyptus-cloud stop
Monitor the state of services using euca-describe-services until SC01 is marked DISABLED
and SC00 is ENABLED.
List Arbitrators
To see a list a arbitrators running on your cloud, perform the steps listed in this topic.
Enter the following command to display Arbitrators for the current CLC or Walrus:
/usr/sbin/euca-describe-services --system-internal
Enter the following command to display Arbitrators on both primary and secondary CLCs or Walruses:
/usr/sbin/euca_conf --list-arbitrators
Caution: By default, the node controller uses the filesystem to perform key injection. This is potentially an
unsafe practice. To disable key injection, set DISABLE_KEY_INJECTION=1 in eucalyptus.conf.
euca-migrate-instances -i [instance_id]
To migrate all instances away from a Node Controller, enter the following command:
You can also optionally specify --stop-source, to stop the specified Node Controller and ensure that no new
instances are started on that NC while the migration occurs. This allows you to safely remove the NC without
interrupting running instances. The NC will remain in the DISABLED state until it is explicitly enabled using
euca-modify-service -s start [NC IP].
In some cases, timeouts may cause a migration to initially fail. Run the command again to complete the migration.
Restart Eucalyptus
Describes the recommended processes to restart Eucalyptus, including terminating instances and restarting Eucalyptus
components.
You must restart Eucalyptus whenever you make a physical change (e.g., switch out routers), or edit the eucalyptus.conf
file. To restart Eucalyptus, perform the following tasks in the order presented.
Tip: Before you restart Eucalyptus, we recommend that you notify all users that you are terminating all instances.
euca-terminate-instances <instance_id>
Restart Walrus
Log in to Walrus and enter the following command:
Restart the CC
Log in to the CC and enter the following command:
Restart the SC
Log in to the SC and enter the following command:
Restart an NC
To restart an NC perform the steps listed in this topic.
1. Log in to the NC and enter the following command:
You can automate the restart command for all of your NCs. Store a list of your NCs in a file called
nc-hosts that looks like:
nc-host-00
nc-host-01
...
nc-host-nn
euca-terminate-instances <instance_id>
Tip: The eucalyptus-cloud stop command also shuts down a CLC, Walrus, and SC components
co-located with the CC and VMware Broker to stop at the same time, in the correct order.
/etc/init.d/eucalyptus-cloud stop
rm -rf /var/lib/eucalyptus/db
euca_conf --initialize
/etc/init.d/eucalyptus-cloud start
3. Note: You must have enough disk space to store copies of all your volumes.
Save the content of each volume into a backup file. For example:
for vol in 'lvdisplay $dasdevice -C | awk '/euca/ {print $1}'`; do echo $vol
; dd if=$dasdevice/$vol of=$backup_dir/$vol bs=1M; done
4. Copy all snapshot files from $EUCALYPTUS/var/lib/eucalyptus/volumes/ to your backup directory. For example:
cp $EUCALYPTUS/var/lib/eucalyptus/volumes/snap-* $backup_dir/
TBD
Disable CloudWatch
To disable CloudWatch, run the following command.
euca-modify-property -p
<partition>.cloudwatch.disable_cloudwatch_service=true
Manage Access
Eucalyptus manages access control through an authentication, authorization, and accounting system. This system manages
user identities, enforces access controls over resources, and provides reporting on resource usage as a basis for auditing
and managing cloud activities.
The user identity organizational model and the scheme of authorizations used to access resources are based on and
compatible with the AWS Identity and Access Management (IAM) system, with some Eucalyptus extensions provided
that support ease-of-use in a private cloud environment.
You can also perform user authentication by integrating Eucalyptus with an existing LDAP or Active Directory. In this
case, the user, group and account information, and Eucalyptus Administrator Console login authenticate using the
LDAP/AD service. This information cannot be changed from Eucalyptus side when LDAP/AD integration is turned on.
However, other Eucalyptus-specific information about user, group and account is still stored within the local database
of Eucalyptus, including certificates, secret keys and attached policies.
For more information about synchronizing an existing LDAP or Active Directory with Eucalyptus, see LDAP/AD
Integration.
Access Overview
The Eucalyptus design of user identity and access management provides layers in the organization of user identities.
This gives you refined control over resource access. Though compatible with the AWS IAM, there are also a few
Eucalyptus-specific extensions that meet the needs of enterprise customers.
Access Concepts
This section describes what Eucalyptus access is and what you need to know about it so that you can configure access
to your cloud.
User Identities
In Eucalyptus, user identities are organized into accounts. An account is the unit of resource usage accounting, and also
a separate namespace for many resources (security groups, key pairs, users, etc.).
Accounts are identified by either a unique ID (UUID) or a unique name. The account name is like IAMs account alias.
It is used to manipulate accounts. However, for AWS compatibility, the EC2 commands often use account ID to display
resource ownership.
There are command line tools to discover the correspondence of account ID and account name. For example,
euare-accountlist lists all the accounts with both their IDs and names.
An account can have multiple users, but a user can only be in one account. Within an account, users can be associated
with Groups. Group is used to attach access permissions to multiple users. A user can be associated with multiple groups.
Because an account is a separate name space, user names and group names have to be unique only within an account.
Therefore, user X in account A and user X in account B are two different identities.
Both users and groups are identified by their names, which are unique within an account (they also have UUIDs, but
are rarely used).
Special Identities
Eucalyptus has two special identities for the convenience of administration and use of the system.
The eucalyptus account: Each user in the eucalyptus account has unrestricted access to all of the cloud's resources,
similar to the superuser on a typical Linux system. These users are often referred to as system administrators or cloud
administrators. This account is automatically created when the system starts for the first time. You cannot remove
the eucalyptus account from the system.
The admin user of an account: Each account, including the eucalyptus account, has a user named admin. This user
is created automatically by the system when an account is created. The admin of an account has full access to the
resources owned by the account. You can not remove the admin user from an account. The admin can delegate
resource access to other users in the account by using policies.
Credentials
This topic describes the different types of credentials used by Eucalyptus.
Each user has a unique set of credentials. These credentials are used to authenticate access to resources. There are three
types of credentials:
An X.509 certificate is used to authenticate requests to the SOAP API service.
A secret access key is used to authenticate requests to the REST API service.
A login password is used to authenticate the Eucalyptus Administrator Console access.
You can manage credentials using the command line tools (the euare- commands) or the Eucalyptus Administrator
Console. For more information about the command line tools, see the Euca2ools Reference Guide.
In IAM, each account has its own credentials. In Eucalyptus, the equivalent of account credentials are the credentials
of admin user of the account.
You can download the full set of credentials for a user or an account, including X509 certificate and secret access key,
by:
/usr/sbin/euca_conf --get-credentials
or:
euca-get-credentials
Account Creation
This topic describes the process for creating an account.
You can create accounts two ways:
Direct creation using command line tool or Eucalyptus dashboard by sys admin. The accounts created in this method
will be available for accessing immediately.
Registration process. One can apply for an account through the dashboard. The process is as follows:
1. The cloud user registers using the form on the dashboard interface.
2. An email will then be sent to the sys admin for review. Sys admin can approve or reject the application by invoking
a URL included in the email. A notification email will be sent to the intended account owner.
3. If the application is approved, the account owner needs to invoke the URL included in the notification email to
confirm the approval.
4. Once confirmed, the new account becomes available.
The account registration status can be found in Eucalyptus Administrator Console. The account registration status is
actually associated with the account admin user. That means you can use the following command to obtain the same
information:
Where the --show-extra option displays extra information of a user in the following order:
Enabled status
Registration status
Password expires
The account registration status has the following values based on the status of registration process: REGISTERED,
APPROVED, or CONFIRMED. An account that is not confirmed cannot be used or accessed. The system administrator
can manipulate the account registration status in both dashboard and command line:
The command line manipulation of the registration status does not send the notification emails. Unless you are experienced,
we recommend that you use the Eucalyptus Administrator Console.
Policy Overview
Eucalyptus uses the policy language to specify user level permissions as AWS IAM. Policies are written in JSON. Each
policy file can contain multiple statements, each specifying a permission.
A permission statement specifies whether to allow or deny a list of actions to be performed on a list of resources, under
specific conditions.
A permission statement has the following components:
Effect: Begins the decision that applies to all following components. Either: Allow or Deny
Action or NotAction: Indicates service-specific and case-sensitive commands. For example:
ec2:RunInstances
Resource or NotResource: Indicates selected resources, each specified as an Amazon resource name (ARN). For
example: arn:aws:s3:::acme_bucket/blob
Condition: Indicates additional constraints of the permission. For example: "DateGreaterThan"
The following policy example contains a statement that gives a user with full permission. This is the same access as the
account administrator:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"1",
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}]
}
For more information about policy language, go to the IAM User Guide.
Policy Notes
You can combine IAM policies with account level permissions. For example, the admin of account A can give users in
account B permission to launch one of account As images by changing the image attributes. Then the admin of account
B can use IAM policy to designate the users who can actually use the shared images.
You can attach IAM policies to both users and groups. When attached to groups, a policy is equivalent to attaching the
same policy to the users within that group. Therefore, a user might have multiple policies attached, both policies attached
to the user, and policies attached to the group that the user belongs to.
Do not attach IAM policies (except quota policies, a Eucalyptus extension) to account admins. At this point, doing so
wont result in a failure but may have unexpected consequences.
Policy Extensions
Eucalyptus extends the IAM policy in order to meet the needs of enterprise customers.
EC2 Resource
In IAM, you cannot specify EC2 resources in a policy statement except a wildcard,*. So, you can't restrict a permission
to specific EC2 entities. For example, you can't restrict a user to run instances on a specific image or VM type. To solve
that, Eucalyptus created the EC2 resource for the policy language. The following example shows the ARN of an EC2
resource.
arn:aws:ec2::<account_id>:<resource_type>/<resource_id>
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"2",
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::vmtype/m1.small",
"arn:aws:ec2:::image/*",
"arn:aws:ec2:::securitygroup/*",
"arn:aws:ec2:::keypair/*",
"arn:aws:ec2:::availabilityzone/*",
"arn:aws:ec2:::instance/*"
]
}]
}
Policy Key
Eucalyptus implements the following AWS policy keys:
aws:CurrentTime
aws:SourceIp
Eucalyptus extends the policy keys by adding the following to the lifetime of an instance:
ec2:KeepAlive: specifies the length of time (in seconds) that an instance can run
ec2:ExpirationTime: specifies the expiration time (in seconds) for an instance
The following example restricts an instance running time to 24 hours:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"3",
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*",
"Condition":{
NumericEquals:{
ec2:KeepAlive:1440
}
}
}]
}
If there are multiple ec2:KeepAlive or ec2:ExpirationTime keys that match a request, Eucalyptus chooses
the longer lifetime for the instance to run.
Default Permissions
Different identities have different default access permissions. When no policy is associated with them, these identities
have the permission listed in the following table.
Identity Permission
For convenience, Eucalyptus grants the following default access to regular users:
Users can list themselves (euare-userlistbypath)
Users can get their own attributes (euare-usergetattributes)
Users can get information about themselves (euare-usergetinfo)
Users can list their own accounts (euare-accountlist)
Account admininstrators have the following default permissions:
euare-accountlistpolicies
euare-accountgetpolicy
Quotas
Eucalyptus adds quota enforcement to resource usage. To avoid introducing another configuration language into
Eucalyptus, and simplify the management, we extend the IAM policy language to support quotas.
The only addition added to the language is the new limit effect. If a policy statements effect is limit, it is a
quota statement.
A quota statement also has action and resource fields. You can use these fields to match specific requests, for example,
quota only being checked on matched requests. The actual quota type and value are specified using special quota keys,
and listed in the condition part of the statement. Only condition type NumericLessThanEquals can be used
with quota keys.
Important: An account can only have a quota policy. Accounts can only accept IAM policies where Effect is
"Deny" or "Limit". If you attach an IAM policy to an account where the Effect is "Allow", you will get unexpected
results.
The following quota policy statement limits the attached user to only launch a maximum of 16 instances in an account.
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"4",
"Effect":"Limit",
"Action":"ec2:RunInstances",
"Resource":"*",
"Condition":{
NumericLessThanEquals:{
ec2:quota-vminstancenumber:16
}
}
}]
}
You can attach quotas to both users and accounts, although some of the quotas only apply to accounts. Quota attached
to groups will take no effect.
When a quota policy is attached to an account, it actually is attached to the account administrator user. Since only system
administrator can specify account quotas, the account administrator can only inspect quotas but can't change the quotas
attached to herself.
The following is all the quota keys implemented in Eucalyptus:
Default Quota
Contrary to IAM policies, by default, there is no quota limits (except the hard system limit) on any resource allocations
for a user or an account. Also, system administrators are not constrained by any quota. Account administrators are only
be constrained by account quota.
Algorithms
This topic describes the algorithms used by Eucalyptus to determine access.
Sample Policies
A few example use cases and associated policies.
Here are some example use cases and associated polices. You can edit these polices for your use, or use them as examples
of JSON syntax and form.
Tip: For more information about JSON syntax used with AWS resources, go to Using AWS Identity and Access
Management.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:*Describe*","ec2:*Run*"],
"Resource":"*",
}
]
}
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The following policy grants a generic basic user permission for running instances and describing things.
{
"Statement": [
{
"Sid": "Stmt1313605116084",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:Authorize*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:RunInstances",
"ec2:TerminateInstances"
"ec2:ReleaseAddress"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Statement": [
{
"Action": [
"ec2:Delete*"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:CreateUser"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy blocks users from running instances at a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "NumericEquals":{"ec2:KeepAlive":"60000"}}
}
]
}
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "DateEquals":{"ec2:ExpirationTime":"2011-08-16T00:00:00Z"}}
}
]
}
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:::vmtype/m1.xlarge"
}
]
}
The following policy restricts users from launching instances with a specific image ID.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::image/emi-0FFF1874"
}
]
}
The following policy restricts users from allocating addresses to a specific elastic IP address.
{
"Statement": [
{
"Sid": "Stmt1313626078249",
"Action": "*",
"Effect": "Deny",
"Resource": "arn:aws:ec2:::address/192.168.10.140"
}
]
}
{
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::volume/*"
}
]
}
LDAP/AD Integration
You can use the Eucalyptus LDAP/Active Directory (AD) integration to synchronize existing LDAP/AD user and group
information with Eucalyptus.
When you enable LDAP/AD synchronization, Eucalyptus does the following:
Imports specified user and group information from LDAP or AD and maps them into a predefined two-tier
account/group/user structure
Authenticates Eucalyptus Administrator Console users through the connected LDAP or AD service
Note that Eucalyptus only imports the identities and some related information. Any Eucalyptus-specific attributes are
still managed from Eucalyptus. These include:
User credentials: secret access keys and X.509 certificates. The Eucalyptus Administrator Console login password
is an exception. Eucalyptus does not download passwords from LDAP/AD and does not save them either. Eucalyptus
authenticates Eucalyptus Administrator Console logins directly through LDAP/AD, using LDAP/AD authentication
(simple or SASL).
Policies: IAM policies and quotas. Policies are associated with identities within Eucalyptus, and stored in internal
database.
Also note that special identities, including system administrators and account administrators, are created in Eucalyptus
and not imported from LDAP/AD. Only normal user identities are imported.
Important: If you integrate LDAP/AD, you do not need to create IAM user login profiles for your users.
Identity Mapping
Identities in LDAP/AD are organized differently from the identity structure in Eucalyptus. So a transformation is required
to map LDAP/AD identities into Eucalyptus.
The following image shows a simple scheme of how the mapping works. In this scheme, the user groups in LDAP tree
are partitioned into two sets. Each set is mapped into one separate account. Group 1, 2 and 3 are mapped to Account 1
and Group 4 and 5 are mapped to Account 2. As the result, all users in Group 1, 2 and 3 will be in Account 1, and all
users in Group 4 and 5 will be in Account 2.
Note that each group can be mapped into multiple accounts. But understand that Eucalyptus accounts are separate name
spaces. So for groups and users that are mapped into different accounts, their information (name, attributes, etc) will be
duplicated in different accounts. And duplicated users will have separate credentials in different accounts. For example,
Group 1 may map to both Account 1 and Account 2. Say user A belongs to Group 1. Then Account 1 will have user A
and Account 2 will also have user A. User A in Account 1 and user A in Account 2 will have different credentials,
policies, etc., but the same user information.
Note: Currently, there is not a way to map individual users into an account. The mapping unit is LDAP user
group. What maps where groups and users end up regarding accounts DEPENDS upon the accounting-groups
or groups-partition definitions.
The above command invokes the LIC tool to create a template LIC and fill in the encrypted password for authenticating
to LDAP/AD service (i.e. the password of the administrative user for accessing the LDAP/AD during synchronization).
The LIC tools primary functions are to encrypt the LDAP/AD password and to generate the starting LIC template. The
usage of the LIC tool shows different ways to invoke the command.
Once you have the LIC template, you can fill in the details by editing the *.lic file using your favorite editor as it is
a simple text file. As we said above, the LIC file is in JSON format. Each top level entity specifies one aspect of the
LDAP/AD synchronization. The following shows one possible example of a LIC file.
{
"ldap-service":{
"server-url":"ldap://localhost:7733",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"cn=ldapadmin,dc=foo,dc=com",
"auth-credentials": "{RSA/ECB/PKCS1Padding}EAXRnvwnKtCZOxSrD/F3ng/yHH3J4jMxNUS
kJJf6oqNMsUihjUerZ20e5iyXImPgjK1ELAPnppEfJvhCs7woS7jtFsedunsp5DJCNhgmOb2CR/MnH
11V3FNY7bBWoew5A8Wwy6x7YrPMS0j7dJkwM7yfp1Z6AbKOo2688I9uIvJUQwEKS4dOp7RVdA0izlJ
BDPAxiFZ2qa40VjFI/1mggbiWDNlgxiVtZXAEK7x9SRHJytLS8nrNPpIvPuTg3djKiWPVOLZ6vpSgP
cVEliP261qdUfnf3GDKi3jqbPpRRQ6n8yI6aHw0gAtq8/qPyqjkkDP8JsGBgmXMxiCNPogbWg==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"false",
"krb5-conf":"/path/to/krb5.conf",
},
"sync":{
"enable":"true",
"auto":"true",
"interval":"900000",
"clean-deletion":"false",
},
"accounting-groups":{
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{
"filter":"objectClass=accountingGroup",
"select":["cn=accountingToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=accountingToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"groups":{
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{
"filter":"objectClass=groupOfNames",
"select":["cn=groupToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=groupToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"users":{
"base-dn":"ou=people,dc=foo,dc=com",
"id-attribute":"uid",
"user-info-attributes":{
"fullName":"Full Name",
"email":"Email"
},
"selection":{
"filter":"objectClass=inetOrgPerson",
"select":["uid=john,ou=People,dc=foo,dc=com",
"uid=jack,ou=People,dc=foo,dc=com"],
"not-select":["uid=tom,ou=People,dc=foo,dc=com"],
}
},
Element Description
Element Description
sync
The sync element contains elements for controlling synchronization.
Element Description
accounting-groups
This section uses a special group in LDAP/AD to designate accounts in the Eucalyptus accounting group. The accounting
group takes normal LDAP/AD groups as members, i.e., they are groups of groups.
The accounting groups name becomes the account name in Eucalyptus. The member groups become Eucalyptus groups
in that account. And the users of all those groups become Eucalyptus users within that account and corresponding
Eucalyptus groups.
Important: If you use accounting-groups, remove the groups-partition section. These two sections
are mutually exclusive.
Element Description
Element Description
selection The accounting groups you want to map to. This contains
the following elements:
filter: The LDAP/AD searching filter used for the
LDAP/AD search to get the relevant LDAP/AD entities,
e.g. the users to be synchronized. (Example:
objectClass=groupOfNames). This element works the
same as the filter option that is found in ldapsearch,
therefore when doing more advanced searching using
compound filters, use boolean operators - AND (&),
OR (|), and/or NOT (!). (Example:
(&(ou=Sales)(objectClass=groupOfNames))
select: Explicitly gives the full DN of entities to be
synchronized, in case they can not be specified by the
search filter. (Example:
cn=groupToSelect,ou=Groups,dc=foo,dc=com)
not-select: Explicitly gives the full DN of entities NOT
to be synchronized, in case this can not be specified by
the search filter. (Example:
cn=groupToIgnore,ou=Groups,dc=foo,dc=com)
groups-partition
Like accounting-groups, groups-partition specifies how to map LDAP/AD groups to Eucalyptus accounts. However, in
this section you to manually specify which LDAP/AD groups you want to map to Eucalyputs accounts.
Important: If you use groups-partition, remove the accounting-groups section. These two sections
are mutually exclusive.
The Eucalyptus accounts are created by partitioning LDAP/AD groups. Each partition composes an Eucalyptus account.
So all the groups within the partition become Eucalyptus groups within that account. All the users of those groups will
become Eucalyptus users within that account and the corresponding Eucalyptus groups.
This section requires that you specify one partition at a time, using a list of JSON key-value pairs. For each entry, the
key is the account name to be mapped and the value is a list of names of LDAP/AD groups to be mapped into the account.
For example:
"groups-partition": {
"salesmarketing": ["sales", "marketing"],
"devsupport": ["engineering", "support"],
}
Here salesmarketing and devsupport are names for the groups partition and are used as the corresponding Eucalyptus
account names.
Tip: If you use groups-partition, remove the accounting-groups section. These two sections are mutually
exclusive.
groups
Thi groups element specifies how to map LDAP/AD groups to Eucalyptus groups. It contains the elements listed in
the following table. The meanings are similar to those in accounting-groups element.
Element Description
Element Description
users
Explicitly gives the full DN of entities NOT to be synchronized, in case this can not be specified by the search filter.
Element Description
Synchronization Process
This topic explains what happens to start the synchronization process and what the synchronization process does.
The synchronization always starts when the following happens:
You manually upload a LDAP/AD Integration Configuration (LIC) file. Every new or updated LIC upload triggers
a new synchronization.
If the automatic synchronization is enabled, a synchronization is started when the timer goes off.
Note: Eucalyptus does not allow concurrent synchronization. If you trigger synchronization more than once
within a short time period, Eucalyptus only allows the first one.
During a synchronization, everything specified by an LIC in the LDAP/AD tree will be downloaded into Eucalyptus
internal database. Each synchronization is a merging process of the information already in the database and the information
from LDAP/AD. There are three cases for each entity: user, group or account:
If an entity from LDAP/AD is not in Eucalyptus, a new one is created in the database.
If an entity from LDAP/AD is already in Eucalyptus, the Eucalyptus version is updated. For example, if a users
info attributes are changed, those changes are downloaded and updated.
If an entity in Eucalyptus is missing from LDAP/AD, it will be removed from the database if the clean-deletion
option in LIC is set to true. Otherwise, it will be left in the database.
Important: If clean-deletion is set to true, the removed entities in Eucalyptus will be lost forever, along with
all its permissions and credentials. The resources associated with the entity will be left untouched. It is system
administrators job to recycle these resources.
Access Tasks
This section provides details about the tasks you perform using policies and identities. The tasks you can perform are
divided up into tasks for users, tasks for groups, and tasks for policies.
The following use cases detail work flows for common processes:
Use Case: Create an Administrator
Use Case: Create a User
You can perform the following access-related tasks listed in the following sections:
Accounts:
Add an Account
Approve an Account
Reject an Account
Rename an Account
List Accounts
Delete an Account
Groups:
Create a Group
Add a Group Policy
Modify a Group
Add a User to a Group
Remove a User from a Group
List Groups
List Policies for a Group
Delete a Group
Users:
Add a User
Create a Login Profile
Modify a User
List Users
Delete a User
Credentials:
Generating User Credentials
Retrieving Existing User Credentials
Uploading a Certificate
Working with Administrator Credentials
euare-groupcreate -g administrators
euare-grouplistbypath
Eucalyptus returns a listing of the groups that have been created, as in the following example.
arn:aws:iam::123456789012:group/administrators
euare-usercreate -u alice
euare-useraddkey -u alice
Eucalyptus returns the access key ID and the user's secret key.
2. Open the ~/.eucarc file and replace your account credentials you just created, as in this example:
export EC2_ACCESS_KEY='WOKSEQRNM1LVIR702XVX1'
export EC2_SECRET_KEY='0SmLCQ8DAZPKoaC7oJYcRMfeDUgGbiSVv1ip5WaH'
AWSAccessKeyId=WOKSEQRNM1LVIR702XVX1
AWSSecretKey=0SmLCQ8DAZPKoaC7oJYcRMfeDUgGbiSVv1ip5WaH
source ~/.eucarc
Create a Group
We recommend that you apply permissions to groups, not users. In this example, we will create a group for users with
limited access.
1. Enter the following command to create a group for users who will be allowed create snapshots of volumes in
Eucalyptus.
euare-groupcreate -g ebs-backup
{
"Statement": [
{
"Action": [
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Eucalyptus responds with the access key ID and the secret key, as in the following example:
AKIAJ25S6IJ5K53Y5GCA
QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l
Accounts
Accounts are the primary unit for resource usage accounting. Each account is a separate name space and is identified
by its UUID (Universal Unique Identifier).
Tasks performed at the account level can only be done by the users in the eucalyptus account.
Add an Account
To add an account perform the steps listed in this topic.
Add an Account (CLI)
To add a new account using the CLI:
Enter the following command:
euare-accountcreate -a <account_name>
Eucalyptus returns the account name and its ID, as in this example:
account01 592459037010
Approve an Account
To approve an account perform the steps listed in this topic.
1. Click Accounts in the Quick Links section.
The Accounts page displays.
2. Click the ID of the account you want to approve.
The account, name, and Registration status are highlighted.
3. Click Approve.
The Approve selected accounts popup displays.
4. Verify that the displayed account is the one you want, and click OK.
The account's registration status displays as CONFIRMED on the Accounts page.
Reject an Account
To reject an account perform the steps listed in this topic.
1. Click Accounts in the Quick Links section.
The Accounts page displays.
2. Click the ID of the account you want to delete.
The account, name, and Registration status are highlighted.
3. Click Reject.
The Reject selected accounts popup displays.
4. Verify that the displayed account is the one you want, and click OK.
The account no longer displays on the Accounts page.
Rename an Account
To rename an account perform the steps listed in this topic.
This section explains steps to perform so that you can rename an account.
Using the CLI
To change an account's name using the CLI:
Enter the following command:
uare-accountaliascreate -a <new_name>
List Accounts
To list accounts perform the steps in this topic.
Using the CLI
Use the euare-accountlist command to list all the accounts in an account or to list all the users with a particular
path prefix. The output lists the ARN for each resulting user.
euare-userlistbypath -p <path>
Delete an Account
To delete an account perform the steps listed in this topic.
Tip: If there are resources tied to the account that you delete, the resources remain. We recommend that you
delete these resources first.
Use the -r option set to true to delete the account recursively. You don't have to use this option if have already
deleted users, keys, and passwords in this account.
Eucalyptus does not return any message.
Delete an Account (Eucalyptus Administrator Console)
To delete an account:
1. Click Accounts in the Quick Links section.
The Accounts page displays.
2. Click the ID of the account you want to delete.
The account, name, and Registration status are highlighted.
3. Click Delete accounts.
The Delete selected accounts popup displays.
4. Verify that the displayed account is the one you want, and click OK.
Groups
Groups are used to share resource access authorizations among a set of users within an account. Users can belong to
multiple groups.
Important: A group in the context of access is not the same as a security group.
Create a Group
To create a group perform the steps listed in this topic.
Using the CLI
To create a group using the CLI:
Enter the following command:
euare-groupcreate -g <group_name>
The optional -o parameter tells Eucalyptus to return the JSON policy, as in this example:
{"Version":"2008-10-17","Statement":[{"Effect":"Allow",
"Action":["ec2:RunInstances"], "Resource":["*"]}]}
Modify a Group
To modify a group perform the steps listed in this topic.
Modifying a group is similar to a "move" operation. Whoever wants to modify the group must have permission to do it
on both sides of the move. That is, you need permission to remove the group from its current path or name, and put that
group in the new path or name.
For example, if a group changes from one area in a company to another, you can change the group's path from
/area_abc/ to /area_efg/. You need permission to remove the group from /area_abc/. You also need
permission to put the group into /area_efg/. This means you need permission to call UpdateGroup on both
arn:aws:iam::123456789012:group/area_abc/* and
arn:aws:iam::123456789012:group/area_efg/*.
Using the CLI
To modify a group using the CLI:
1. Enter the following command to modify the group's name:
4. Enter the name of the user you want to remove and click OK.
The user is now removed from the group.
List Groups
To list groups perform the steps listed in this topic.
Using the CLI
To list all the groups a specific user is in:
Enter the following command:
euare-grouplistbypath
Eucalyptus returns a list of paths followed by the ARNs for the groups in each path. For example:
arn:aws:iam::eucalyptus:group/groupa
euare-grouplistpolicies -g <group_name>
Delete a Group
To delete a group perform the steps listed in this topic.
Using the CLI
When you delete a group, you have to remove users from the group and delete any policies from the group. You can do
this with one command, using the euare-groupdel command with the -r option. Or you can follow the following
steps to specify who and what you want to delete.
1. Individually remove all users from the group.
euare-groupdel -g <group_name>
4. Click OK.
The group is now deleted.
Users
Users are subsets of accounts and are added to accounts by an appropriately credentialed administrator. While the term
user typically refers to a specific person, in Eucalyptus, a user is defined by a specific set of credentials generated to
enable access to a given account. Each set of user credentials is valid for accessing only the account for which they were
created. Thus a user only has access to one account within a Eucalyptus system. If an individual person wishes to have
access to more than one account within a Eucalyptus system, a separate set of credentials must be generated (in effect
a new user) for each account (though the same username and password can be used for different accounts).
When you need to add a new user to your Eucalyptus cloud, you'll go through the following process:
1 Create a user
2 Add user to a group
3 Give user a login profile
Add a User
Using the CLI
To add a user using the CLI:
Enter the following command
4. Enter the name of the user you want to add and click OK.
The user is now added to the group.
Modify a User
Modifying a user is similar to a "move" operation. Whoever wants to modify a user must have permission to do it on
both sides of the move. That is, you need permission to remove the user from the current path or name, and put that user
in the new path or name.
For example, if a user changes from one team in a company to another, you can change the user's path from /team_abc/
to /team_efg/. You need permission to remove the user from /team_abc/. You also need permission to put the
user into /team_efg/. This means you need permission to call UpdateUser on both
arn:aws:iam::123456789012:user/team_abc/* and
arn:aws:iam::123456789012:user/team_efg/*.
Using the CLI
To rename a user using the CLI:
1. Enter the following command to rename a user:
List Users
You can list users within a path.
Using the CLI
Use the euare-userlistbypath command to list all the users in an account or to list all the users with a particular
path prefix. The output lists the ARN for each resulting user.
euare-userlistbypath -p <path>
Delete a User
Using the CLI
To delete a user using the CLI:
Enter the following command
euare-userdel -u <user_name>
4. Click OK.
The user is deleted.
Credentials
Eucalyptus uses different types of credentials for both user and administrative functions. Besides the login and password
used for accessing the Eucalyptus Administrator Console, Eucalyptus uses an SSH keypair and an X.509 certificate to
control access to instances and to Eucalyptus system functions using the command line tools. This section discusses the
various types of credentials and how to use them.
Working with User Credentials
Working with Administrator Credentials
To generate a new key for a user by an account administrator, enter the following
euare-useraddkey -u <user_name>
To generate a private key and an X.509 certificate pair, enter the following:
euare-usercreatecert -u <user_name>
Where <account> and <user_name> are the names of the account and the user whose credentials are retrieved.
Tip: You can omit the --cred-account and --cred-user options when you get credentials for the
admin user of the eucalyptus account.
A user can get his or her credentials by logging in into the Eucalyptus Administrator Console and clicking Download
new credentials in the drop-down menu at the top of the screen. This will result in a download of a zip file.
In the following example we download the credentials zip file to ~/.euca, then change access
permissions, as shown:
mkdir ~/.euca
cd ~/.euca
unzip <filepath>/<creds_zipfile>.zip
chmod 0700 ~/.euca
chmod 0600 *
Alternatively, you can view and copy your access keys and X.509 certificates from the Eucalyptus
Administrator Console after logging in, using the Navigation menu.
Uploading a Certificate
To upload a certificate provided by a user:
Enter the following command:
Synchronize LDAP/AD
To start an LDAP/AD synchronization:
1. Create an LDAP/AD Integration Configuration (LIC) file to specify all the details about the LDAP/AD synchronization.
2. Upload the LIC file to Eucalyptus using euca-modify-property.
The above command invokes the LIC tool to create a template LIC and fill in the encrypted password for authenticating
to LDAP/AD service (i.e. the password of the administrative user for accessing the LDAP/AD during synchronization).
The LIC tools primary functions are to encrypt the LDAP/AD password and to generate the starting LIC template.
The usage of the LIC tool shows different ways to invoke the command.
Once you have the LIC template, you can fill in the details by editing the *.lic file using a text editor. Each top level
entity specifies one aspect of the LDAP/AD synchronization.
/usr/sbin/euca-modify-property -f
authentication.ldap_integration_configuration=<lic_filename.lic>
Manage Resources
This section includes tasks to help you manage your users' cloud resources.
euca-describe-instances verbose
euca-describe-volumes verbose
euca-describe-keypairs verbose
To delete the login profile of a user in an account, enter the following command:
To modify the login profile of a user in an account, enter the following command:
To restrict an image to a specific availability zone, edit and attach this sample policy to a user:
{
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:*",
"Resource":"*"
},
{
"Effect": "Deny",
"Action": [ "ec2:*" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {
"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
}
]
}
To restrict a user to actions only within a specific availability zone, edit and attach this sample policy to a user:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [ "ec2:TerminateInstances" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:AvailabilityZone": "PARTI00"
}
}
}]
}
To deny actions at the account level, edit and attach this example policy to an account:
{
"Statement": [ {
"Effect": "Deny",
"Action": [ "ec2:RunInstances" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {
"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
} ]
}
euwatch-describe-alarms verbose
eulb-describe-lbs verbose
To list the details of policies for all load balancers in your cloud, run the following command:
eulb-describe-lb-policies verbose
To list meta information for all load balancer policies in your cloud, run the following command:
eulb-describe-lb-policy-types verbose
To delete any load balancer or any load balancer resource on the cloud, instead of using the ELB name, use the DNS
name. For example:
$ eulb-describe-lbs verbose
LOAD_BALANCER MyLoadBalancer
MyLoadBalancer-961915002812.lb.foobar.eucalyptus-systems.com
2013-10-30T03:02:53.39Z
$ eulb-delete-lb MyLoadBalancer-961915002812.lb.foobar.eucalyptus-systems.com
$ eulb-describe-lbs verbose
To show all Auto Scaling instances in your cloud, run the following command:
To show all Auto Scaling instances in your cloud, run the following command:
To delete an Auto Scaling resource in your cloud, first get the ARN of the resource, as in this example:
euscale-delete-launch-config
arn:aws:autoscaling::961915002812:launchConfiguration:5ac29caf-9aad-4bdb-b228-5f
ce841dc062:launchConfigurationName/TestLaunchConfig
Manage Security
This section details concepts and tasks required to secure your cloud.
Security Overview
This topic is intended for people who are currently using Eucalyptus and who want to harden the cloud and underlying
configuration.
This topic covers available controls and best practices for securing your Eucalyptus cloud. Cloud security depends on
security across many layers of infrastructure and technology:
Security of the physical infrastructure and hosts
Security of the virtual infrastructure
Security of instances
Security of storage and data
Security of users and accounts
Tip: For information about securing applications in AWS cloud, we recommend the Amazon Web Services
Security Best Practices whitepaper. The practices in this in this paper also apply to your Eucalyptus cloud.
Best Practices
This topic contains recommendations for hardening your Eucalyptus cloud.
Networking Mode
Managed mode is the only recommended networking mode for secure deployments. It provides security groups, which
are used to control inbound traffic to instances, as well as Layer-2 isolation between security groups.
Layer-2 isolation is enforced using a VLAN tag per security group. This protects traffic within a security group from
potential eavesdropping and hijacking by instances that belong to other security groups.
Eucalyptus does not currently enforce Layer-2 isolation between instances within the same security group.
For more information about choosing a networking modes, see the Installation Guide.
Replay Detection
Eucalyptus components receive and exchange messages using either Query or SOAP interfaces (or both). Messages
received over these interfaces are required to have a time stamp (as defined by AWS specification) to prevent message
replay attacks. Because Eucalyptus enforces strict policies when checking timestamps in the received messages, for the
correct functioning of the cloud infrastructure, it is crucial to have clocks constantly synchronized (for example, with
ntpd) on all machines hosting Eucalyptus components. To prevent user commands failures, it is also important to have
clocks synchronized on the client machines.
Following the AWS specification, all Query interface requests containing the Timestamp element are rejected as expired
after 15 minutes of the timestamp. Requests containing the Expires element expire at the time specified by the element.
SOAP interface requests using WS-Security expire as specified by the WS-Security Timestamp element.
Endpoints
Eucalyptus requires that all user requests (SOAP with WS-Security and Query) are signed, and that their content is
properly hashed, to ensure integrity and non-repudiation of messages. For stronger security, and to ensure message
confidentiality and server authenticity, client tools and applications should always use SSL/TLS protocols with server
certification verification enabled for communications with Eucalyptus components.
By default, Eucalyptus components are installed with self-signed certificates. For public Eucalyptus endpoints, certificates
signed by a trusted CA provider should be installed.
Credential Management
Only create users and credentials for the interfaces that you will actually use. For example, if you're only going to use
an account through the Administration Console or the User Console, do not create credentials for the SOAP and Query
interfaces.
Using euca_conf --get-credentials or downloading credentials through the Administration Console currently
creates a new set of X.509 certificates on each request. Use euare-useraddkey and euare-usercreatecert
to get a specific set of credentials whenever possible.
When rotating credentials, there is an option to deactivate, instead of removing, existing access/secret keys and X.509
certificates. Requests made using deactivated credentials will no longer be accepted, but the credentials will remain in
the Eucalyptus database and can be restored if needed. You can deactive credentials using the Administration Console,
or using euare-usermodkey and euare-usermodcert.
Hosts
This topic describes best practices for machines that host a Eucalyptus component.
Eucalyptus recommends restricting physical and network access to all hosts comprising the Eucalyptus cloud, and
disabling unused applications and ports on all machines used in your cloud.
After installation, no local access to Eucalyptus component hosts is required for normal cloud operations and all normal
cloud operations can be done over remote web service APIs.
The CLC and Walrus are the only two components that generally expect remote connections from end users. Each
Eucalyptus component can be put behind a firewall following the list of open ports and connectivity requirements
described in the Configure the Firewall section.
For more information on securing Red Hat hosts, see the Red Hat Enterprise Linux Security Guide. Note that Eucalyptus
does not currently support SELinux configurations, and SELinux should be disabled.
PasswordAuthentication no
Encourage non-root access by providing an unprivileged user account. If necessary, use sudo to allow access to
privileged commands
Always delete the shell history and any other potentially sensitive information before bundling. If you attempt more
than one bundle upload in the same image, the shell history contains your secret access key.
Bundling a running instance requires your private key and X.509 certificate. Put these and other credentials in a
location that is not bundled (e.g. when using euca-bundle-vol, pass the folder location where the certificates
are stored as part of the values for the -e option). AWS provides more in-depth information on security considerations
in creating a shared machine image.
Consider installing cloud-init in the image to help control root and non-root access. If cloud-init isn't available, a
custom /etc/rc.local script can be used.
Consider using a tool such as http://manpages.ubuntu.com/manpages/precise/man8/zerofree.8.htmlzerofree to zero-out
any unused space on the image.
Consider editing /etc/rc.local to clear out the swap every time the instance is booted. This can be done using
the following command:
User Console
This topic describes things you can do to secure the Eucalyptus User Console.
Always use SSL for communications and install CA-signed certificate.
We do not recommend choosing "Remember my keys" option for "Login to AWS" because it will store AWS
credentials in browser's local storage and increases the security risk of AWS credentials being compromised
Change the default session timeouts if needed. For more information, see Configure Session Timeouts.
LDAP Security
This topic explains variables in the LIC file you should use to secure configuration.
When you enable LDAP/Active Directory (AD) integration with Eucalyptus, we recommend that you use the following
variables in the LDAP/AD Integration Configuration (LIC) file. These variables are located under the ldap-service
element in the LIC file.
Element Description
When use-ssl is enabled, ldaps will be used. However, the server-url still needs to begin with ldap://.
We recommend using a proxy user for the auth-principal. Typically, proxy users are used to associate with the
application that needs to do reads (and in some cases writes) against the LDAP/AD directory. Proxy users also make it
easier for security audits done on the LDAP/AD directory. To use with Eucalyptus and the LDAP/AD sync, the proxy
user only needs read access. For more information about using proxy authentication with OpenLDAP and Active
Directory, go to the following resources:
For LDAP: Using SASL (see the SASL Proxy Authorization section)
For Active Directory: Supported Types of Security Principles
For more information about LDAP and security, go to the following resources:
Authentication Methods (see the "simple" method section)
Using SASL
Security Considerations
For more information about Active Directory and security, go to the following resources:
Simple Authentication
SASL Authentication
LDAP Security
Tasks
This section details the tasks needed to make your cloud secure.
Configure SSL
In order to connect to Eucalyptus using SSL, you must have a valid certificate for the Cloud Controller (CLC) and for
Walrus. You must also be running the Cloud Controller and Cluster Controller (CC) on separate machines.
Tip: The CLC and Walrus use the same tasks. You can just perform one or the other if your CLC and Walrus
are located on the same server.
Create a Keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the
following steps.
1. Enter the following command to convert your trusted certificate and key into an appropriate format:
This command will request an export password, which is used in the following steps.
2. Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12.
3. Import your keystore into the Eucalyptus keystore
keytool -importkeystore \
-srckeystore tmp.p12 -srcstoretype pkcs12 -srcstorepass [export_password] \
-destkeystore /var/lib/eucalyptus/keys/euca.p12 -deststoretype pkcs12 \
-deststorepass eucalyptus -alias [key_alias] \
-srckeypass [export_password] -destkeypass [export_password]
euca-modify-property -p bootstrap.webservices.ssl.server_alias=[key_alias]
euca-modify-property -p \
bootstrap.webservices.ssl.server_password=[export_password]
Create a Keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the
following steps.
1. Enter the following command to convert your trusted certificate and key into an appropriate format:
This command will request an export password, which is used in the following steps.
2. Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12.
3. Import your keystore into the Eucalyptus keystore
keytool -importkeystore \
-srckeystore tmp.p12 -srcstoretype pkcs12 -srcstorepass [export_password] \
-destkeystore /var/lib/eucalyptus/keys/euca.p12 -deststoretype pkcs12 \
-deststorepass eucalyptus -alias [key_alias] \
-srckeypass [export_password] -destkeypass [export_password]
euca-modify-property -p bootstrap.webservices.ssl.server_alias=[key_alias]
euca-modify-property -p \
bootstrap.webservices.ssl.server_password=[export_password]
GENERATE_CERT=NO
Tip: If you choose not to use the default SSL certificate and key, you must provide your own. For more
information on generating self-signed SSL certificates, go to
http://www.akadia.com/services/ssh_test_certificate.html.
sslcert=/example/path/server.crt
sslkey=/example/path/server.key
Tip:
For more information on generating self-signed SSL certificates, go to
http://www.akadia.com/services/ssh_test_certificate.html.
mv signedcert.p12 /var/lib/eucalyptus/keys/signedcert.p12
chown eucalyptus:eucalyptus /var/lib/eucalyptus/keys/signedcert.p12
chmod 600 /var/lib/eucalyptus/keys/signedcert.p12
mkdir /tmp/eucalyptus-www
cd /tmp/eucalyptus-www
unzip /usr/share/eucalyptus/eucalyptus-www-3.4.2.jar eucalyptus-jetty.xml
5. Edit eucalyptus-jetty.xml to point to the new keystore. The following example assumes that your new keystore is
stored in /var/lib/eucalyptus/keys/:
<Set name="keystore">/var/lib/eucalyptus/keys/signedcert.p12</Set>
<Set name="truststore">/var/lib/etc/eucalyptus/keys/signedcert.p12</Set>
<Set name="password">[yourkeystorepassword]</Set>
<Set name="keyPassword">[yourkeypassword]</Set>
<Set name="trustPassword">[yourkeystorepassword]</Set>
After restarting Eucalyptus, verify that the system is up using euca-describe-services. You should now be
able to access the Admin UI over SSL at http://[CLC-IP]:8443/.
"use-ssl":"true",
"ignore-ssl-cert-validation":"false",
Synchronize Components
To synchronize your Eucalyptus component machines with an NTP server, perform the following tasks.
1. Enter the following command on a machine hosting a Eucalyptus component:
# ntpdate pool.ntp.org
# service ntpd start
# chkconfig ntpd on
# ps ax | grep ntp
# hwclock --systohc
Important: To protect against replay attacks, the CLC only caches messages for 15 minutes. So its important
that any client tools used to interact with the CLC have the Expires element set to a value less than 15 minutes
from the current time. This is usually not an issue with standard tools, such as euca2ools and Amazon EC2 API
Tools.
1. The CLC replay detection algorithm rejects messages with the same signatures received within 15 minutes. The time
within which messages with the same signatures are accepted is controlled by the
bootstrap.webservices.replay_skew_window_sec property. The default value of this property is
three seconds. To change this value, enter the following command:
euca-modify-property -p
bootstrap.webservices.replay_skew_window_sec=[new_value_in_seconds]
If you set this property to 0, Eucalyptus will not allow any message replays. This setting provides the best protection
against message replay attacks, but may break some of the client-side scripts that issue commands too quickly.
If you set this property to any value greater than 15 minutes plus the values of ws.clock_skew_sec (that is, to a value
>= 920 sec in the default installation), Eucalyptus disables replay detection completely.
2. When checking message timestamps for expiration, Eucalyptus allows up to 20 seconds of clock drift between the
machines. This is a default setting. You can change this value for the CLC at runtime by setting the
bootstrap.webservices.clock_skew_sec property as follows:
euca-modify-property -p
bootstrap.webservices.clock_skew_sec=[new_value_in_seconds]
Reserve Ports
Eucalyptus components use a variety of ports to communicate. The following table lists the all of the important ports
used by Eucalyptus.
Port Description
TCP 5005 DEBUG ONLY: This port is used for debugging Eucalyptus (using the --debug flag).
TCP 8080 Port for the administrative web user interface. Forwards to 8443. Configurable with
euca-modify-property.
TCP 8443 SSL port for the administrative web user interface. Configurable with
euca-modify-property.
TCP 8772 DEBUG ONLY: JMX port. This is disabled by default, and can be enabled with the --debug
or --jmx options for CLOUD_OPTS.
TCP 8773 Web services port for the CLC, Walrus, SC, and VB; also used for external and internal
communications by the CLC and Walrus. Configurable with euca-modify-property.
TCP 8774 Web services port on the CC. Configured in the eucalyptus.conf configuration file
TCP 8775 Web services port on the NC. Configured in the eucalyptus.conf configuration file.
TCP 8776 Used by the image cacher on the CC. Configured in the eucalyptus.conf configuration
file.
TCP 8777 Database port on the CLC
TCP 8779 (or next jGroups failure detection port on CLC, Walrus, VB and SC. If port 8779 is available, it will
available port, up to be used, otherwise, the next port in the range will be attempted until an unused port is found.
TCP 8849)
Port Description
TCP 8888 The default port for the Eucalyptus User Console. Configured in the
/etc/eucalyptus-console/console.init file.
TCP 16514 TLS port on Node Controller, required for node migrations
UDP 7500 Port for diagnostic probing on CLC, Walrus, SC, and VB
UDP 8773 HA membership port
TCP/UDP 53 DNS port on the CLC
Caution: Performing this operation to define special iptables rules that are loaded when Eucalyptus starts could
cause Eucalyptus VM networking to fail. We recommend that you only do this if you are completely sure that
it will not interfere with the operation of Eucalyptus.
session.idle.timeout=1800
session.abs.timeout=43200
Configure LDAP
To synchronize your Eucalyptus component machines with an NTP server, perform the following tasks.
1. Enter the following command on a machine hosting a Eucalyptus component:
# ntpdate pool.ntp.org
# service ntpd start
# chkconfig ntpd on
# ps ax | grep ntp
# hwclock --systohc
Manage Reporting
Eucalyptus provides two ways for getting metrics for your cloud: you can get a report directly from the Cloud Controller
(CLC), or you can get a report from data exported from the CLC and imported to a data warehouse.
When you install Eucalyptus, you automatically get the reporting system in place to generate reports from the CLC.
However, the down side to using the CLC for reports is latency. Because of this, Eucalyptus also supports a data
warehouse that resides outside the Eucalyptus system to store report data.
This section describes the concepts and best practices for Eucalyptus reporting, and how to generate reports.
Reporting Overview
Eucalyptus lets you generate reports to monitor cloud resource use. Each type of report is for a specified time range.
Eucalyptus supports the following report types:
Instance: The instance report provides information about the amount, duration, and utilization of all running instances.
Use this report to understand how many instances each user is running, whether your instance types are large enough,
etc.
S3: The S3 report provides information about the number of buckets and objects stored in Walrus. Empty buckets
are not reported. Use this report to understand the storage needs of each user and your cloud's storage needs.
Volume: The volume report provides information about the amount, duration, and size of all volumes in use. Use
this report to understand how many volumes are running, and what the storage size of each volume is.
Snapshot: The snapshot report provides information about the amount of your cloud's snapshots. Use this report to
understand how many snapshots there are and from which volumes, and what the size of each snapshot is.
Elastic IP: The elastic IP report provides information about the lifecycle of elastic IPs in your cloud, including which
user is using which IPs, which IPs are currently in use, and how often and for how long does IP get allocated. Use
this report to understand how many IPs each user is assigned and to which instance the IP is assigned to, and the
running time of each IP.
Capacity: The capacity report provides overall information about your cloud's resources, including instance types
and storage. Use this report to determine if your resources are being used adequately, and whether you need to scale
up or down.
You can generate reports in either CSV or HTML formats for use with external tools.
If you want to use the CLC for your reports, see Reporting Tasks: CLC.
If you want to use the data warehouse for your reports, see Set Up the Data Warehouse.
Instance Report
The Instance Report has the following column headings:
Heading Description
Heading Description
S3 Report
The S3 Report has the following column headings:
Heading Description
Volume Report
The S3 Report has the following column headings:
Heading Description
Snapshot Report
The Snapshot Report has the following column headings:
Heading Description
Heading Description
Elastic IP Report
The Elastic IP Report has the following column headings:
Heading Description
Elastic IP IP address
Instance ID Identifier of the instance that is assigned the elastic IP
# IPs Number of IPs used by a user(s)
Duration Length in time that the elastic IP is in use by an instance
Capacity Report
The Capacity Report has the following column headings:
Heading Description
Reporting Tasks
This section explains the tasks associated with the Eucalyptus reporting feature. These tasks are divided into where you
will run reports from, either the Cloud Controller (CLC) or the data warehouse. Follow the steps listed below to configure
and then find the tasks associated with reports.
When you install Eucalyptus, you automatically get the ability to run reports against the CLC. This reporting functionality
is done in the Eucalyptus Administrator Console. For further information, see Reporting Tasks: CLC.
Many environments choose to focus the CLC function on the cloud processes, rather than on reporting processes. For
these needs, Eucalyptus supports exporting data from the CLC to a data warehouse and running reports against the data
in that data warehouse. For more information, see Reporting Tasks: Data Warehouse.
4. Click Generate.
The report displays on the screen.
To download the report, click the CSV or HTML icon at the bottom of the screen.
su - postgres
psql
6. Log out.
exit
eucadw-status -p <your_password>
Export Data
To export data from the Cloud Controller (CLC):
Run the following command:
For more information about the eureport-export-data command, go to the Euca2ools Reference Guide.
Import Data
To import data into the data warehouse:
Run the following command:
where filename is the name of the imported file that you want to get data from.
where:
start_date is the date you want data from. For example, 2012-11-05.
end_date is the date you want data to.
report_type is the type of report you want to run: instance, S3, volume, snapshot, IP, or capacity.
your_password is the administrator password you configured in the data warehouse installation.
Eucalyptus Commands
This section contains reference information for Eucalyptus administration and reporting commands.
euca_conf
This is the main configuration file for Eucalyptus.
Syntax
euca_conf
Options
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
euca-describe-properties
This command lists properties.
Syntax
euca-describe-properties
Options
None
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
Option Description
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
euca-modify-property
This command modifies a Eucalyptus cloud property.
Syntax
euca-modify-property
Options
-p, --property Set the named property to the specified value. Conditional
name=value
-r name Resets the named property to the default value. No
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
Option Description
euca-describe-services
This command returns information about all running services.
Syntax
euca-describe-services
Options
-A, --all Include all public service information. Reported state information is determined No
by the view available to the target host, which should be treated as advisory (See
documentation for guidance on interpreting this information).
--system-internal Include internal services information No
Note: This information is only for the target host.
--user-services Include services that are user-facing and co-located with some other top-level No
service
Note: This information is only for the target host.
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
Option Description
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
eureport-generate-report
Generates a report from the CLC.
Syntax
Options
-s, --start-date Inclusive start date for the exported data in YYYY-MM-DD format. Yes
start_date For example, 2012-08-19.
-e, --end-date Exclusive end date for the exported data in YYYY-MM-DD format. Yes
end_date For example, 2012-08-26.
--size-unit The level of granularity for reporting metrics by size alone. No
size_unit
Valid values: b | kb | mb | gb
Default: gb
--size-time-size-unit The level of granularity for reporting size metrics for the time interval. No
size_time_size_unit
Valid values: b | kb | mb | gb
Default: gb
--size-time-time-unit The level of granularity for reporting size metrics for the time interval. No
size_time_time_unit
Valid values: seconds | minutes | hours | days
Default: days
-d, --dependencies Include event dependencies from outside the requested time period. No
-F, --force Overwrite output file if it exists. No
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
Option Description
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
Output
Eucalyptus returns a message stating that report was generated to the file you specified.
Example
eureport-delete-data
Deletes report data generated before a specified date.
Syntax
Options
-s, --start-date Inclusive start date for the deleted report data in YYYY-MM-DD Yes
start_date format. For example, 2012-08-19.
-e, --end-date Exclusive end date for the deleted report data. For example, Yes
end_date 2012-08-26.
-d, --dependencies Include event dependencies from outside the requested time period. No
filename Path to the reporting data export file No
-F, --force Overwrite output file if it exists. No
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
Option Description
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
Output
Eucalyptus returns a message detailing the number of data entries it deleted.
Example
eureport-delete-data -e 2012-11-06
Deleted 153415 reporting data entries.
eureport-export-data
Exports report data to a file. This file can be imported into the data warehouse.
Syntax
Options
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
Option Description
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
Output
Eucalyptus returns a message stating that the data was exported to the file you specified.
Example
eucadw-status
Checks for a connection to the data warehouse and for available data stored in the data warehouse.
Syntax
eucadw-status -p password
Options
-p, password Administrator password you configured in the data warehouse Yes
installation.
Common Options
None.
Output
Eucalyptus returns the connection status.
Examples
The following example shows a successful connection.
eucadw-status -p mypassword
Connected to database: localhost:8777/reporting as eucalyptus
Data present from 2012-05-27 22:25:01 to 2012-09-24 22:58:01
eucadw-status -p mypassword
Database access failed with the following details.
SQLState : 3D000
Error Code: 0
FATAL: database "blah" does not exist
eucadw-import-data
Imports data into the data warehouse. This data is in a specified file that has first been generated from the
eureport-export-data command.
Syntax
Options
-e, --export Name of the export file you want to import into the data warehouse. Yes
export_filename
-p, password Administrator password you configured in the data warehouse Yes
installation.
-r, --replace Use this option if you want to replace an existing file that has the same No
name as the file you are importing.
Common Options
None.
Output
Eucalyptus returns a message detailing the number of entries imported and the timefrome of those entries.
Example
eucadw-generate-report
Generates a report from the data warehouse.
Syntax
eucadw-generate-report -p password[filename]
[-t report_type] [-f report_format] [-s start_date]
[-e end_date] [--size-unit size_unit]
[--time-unit time_unit]
[--size-time-size-unit size_time_size_unit]
[--size-time-time-unit size_time_time_unit] [-d] [-F]
Options
-p, password Administrator password you configured in the data warehouse Yes
installation.
filename Name of the file to output report data to. If you do not enter a filename, No
Eucalyptus generates report data to the console.
-t, --type Type of report to generate. No
report_type
Valid values: elastic-ip | instance | s3 | snapshot | volume
Default: instance
-s, --start_date Inclusive start date for the exported data in YYYY-MM-DD format. No
start_date For example, 2012-08-19.
Default: html
-e, --end-date Exclusive end date for the exported data in YYYY-MM-DD format. Yes
end_date For example, 2012-08-26.
--size-unit The level of granularity for reporting metrics by size alone. No
size_unit
Valid values: b | kb | mb | gb
Default: gb
--size-time-size-unit The level of granularity for reporting size metrics for the time interval. No
size_time_size_unit
Valid values: b | kb | mb | gb
Default: gb
--size-time-time-unit The level of granularity for reporting size metrics for the time interval. No
size_time_time_unit
Valid values: seconds | minutes | hours | days
Default: DAYS
-d, --dependencies Include event dependencies from outside the requested time period. No
-F, --force Overwrite output file if it exists. No
Common Options
None.
Output
Eucalyptus returns a message stating that report was generated to the file you specified.
Example
Property Description
Property Description
Property Description
Property Description
cloud.cluster.notreadyinterval The time period between service state checks for a Cluster Controller
which is NOTREADY.
cloud.cluster.pendinginterval The time period between service state checks for a Cluster Controller
which is PENDING.
cloud.cluster.requestworkers The number of concurrent requests which will be sent to a single Cluster
Controller.
cloud.cluster.startupsyncretries The number of times a request will be retried while bootstrapping a
Cluster Controller.
cloud.images.defaultkernelid The default used for running images which do not have a kernel specified
in either the manifest, at register time, or at run-instances time.
cloud.images.defaultramdiskid The default used for running images which do not have a ramdisk
specified in either the manifest, at register time, or at run-instances time.
cloud.images.defaultvisibility The default value used to determine whether or not images are marked
'public' when first registered.
cloud.network.global_max_network_index Default max network index.
cloud.network.global_max_network_tag Default max vlan tag.
cloud.network.global_min_network_index Default min network index.
cloud.network.global_min_network_tag Default min vlan tag.
cloud.network.network_index_pending_timeout Minutes before a pending index allocation timesout and is released.
cloud.vmstate.ebs_volume_creation_timeout Amount of time (in minutes) before a EBS volume backing the instance
is created
cloud.vmstate.instance_subdomain Subdomain to use for instance DNS.
cloud.vmstate.instance_timeout Amount of time (in minutes) before a previously running instance which
is not reported will be marked as terminated.
cloud.vmstate.mac_prefix Prefix to use for instance MAC addresses.
cloud.vmstate.max_state_threads Maximum number of threads the system will use to service blocking
state changes.
cloud.vmstate.network_metadata_refresh_time Maximum amount of time (in seconds) that the network topology service
takes to propagate state changes.
cloud.vmstate.shut_down_time Amount of time (in minutes) before a VM which is not reported by a
cluster will be marked as terminated.
cloud.vmstate.stopping_time Amount of time (in minutes) before a stopping VM which is not reported
by a cluster will be marked as terminated.
cloud.vmstate.terminated_time Amount of time (in minutes) that a terminated VM will continue to be
reported.
cloud.vmstate.tx_retries Number of times to retry transactions in the face of potential concurrent
update conflicts.
cloud.vmstate.volatile_state_interval_sec Period (in seconds) between state updates for actively changing state.
cloud.vmstate.volatile_state_timeout_sec Timeout (in seconds) before a requested instance terminate will be
repeated.
Property Description
Property Description
euca-modify-property -p mypartition.storage.enablesyncsnaps=true
You have now successfully configured synchronous snapshots for your EMC VNX SAN installation.
The primary goals for multipathing with EMC VNX as a Eucalyptus EBS backend are to:
Avoid single points of failure
Maximize bandwidth for data access
Isolate control traffic from data traffic to avoid performance problems
To achieve these goals, some best practice suggestions for multipathing are:
Have at least two distinct networks for the data paths between NC/SC hosts and the SAN, so that there is no single
point failure on the data path.
Have separate network interfaces for NC and SC data and control traffic, to minimize the traffic interferences and
maximize data bandwidth. Data access interfaces can use larger pipes, like 10GB Ethernet.
Connect both SPs on the SAN to all of the data access networks.
The following diagram shows a typical multipathing configuration with EMC VNX. In this diagram, NC/SC hosts have
3 network interfaces: data port 0 and data port 1 for iSCSI data access, and the control port, which is used for control
messages for Eucalyptus internal traffic. Each of the data port connects to a separate switch: switch 0 and switch 1. Each
of the SAN storage processors, SP A and SP B, connects to both switches. In this diagram, we have 4 distinct iSCSI
paths for each storage volume:
1. Data port 0 Switch 0 SP A
2. Data port 0 Switch 0 SP B
3. Data port 1 Switch 1 SP A
4. Data port 1 Switch 1 SP B
In this scenario, failure of any of the paths will not affect the storage access to the volumes:
The Eucalyptus EMC VNX Multipathing feature requires the following to function properly:
Properly installed and configured Linux Device Mapper Multipathing software on both the Storage Controller and
Node Controller hosts.
Correctly configured iSCSI path system property and related STORAGE_INTERFACES parameters in the
eucalyptus.conf configuration file for both SC and NC.
Prerequisites for Before you start diagnosing the problems with multipathing, make sure you set the proper logging
Troubleshooting level on both SC and NC machines, so that you can get detailed failure logs. To do that:
Typical
Set the cloud.euca_log_level system property to DEBUG
Multipathing Uncomment the LOGLEVEL=DEBUG entry in the eucalyptus.conf file on the NC, and
Failures then restart the NC service
General The following are general tips to help diagnose multipathing problems:
Troubleshooting
Make sure you turn on the DEBUG log level for both SC and NC so that you can get detailed
Techniques for
information from the logs.
Multipathing
Failures Eucalyptus calls some external Perl scripts to perform the actual iSCSI connect/disconnect
operations. These scripts are:
/usr/share/eucalyptus/connect_iscsitarget.pl
/usr/share/eucalyptus/disconnect_iscsitarget.pl
/usr/share/eucalyptus/get_iscsitarget.pl
The STDERR output of these scripts is logged; you can add debug code to print information
to STDERR to see what happens during connection or disconnection operations.
The iscsiadm open-iscsi initiator command line tool can help you get the current status of
all the iSCSI connections in the system. For example:
iscsiadm -m session -P 3
Use the multipath command line tool to see multipathing status. For example:
multipath -ll -v 3
Cannot attach This can occur for a number of reasons. To diagnose this, try some of the following:
volumes
Make sure you can attach a volume without using multipathing.
Check your SAN-related system properties to see if you have set the correct values.
Use a single path for the NC; for example, set PARTITION.storage.ncpaths to something
like 192.168.25.182. If you specify an iface in your path, like iface0:192.168.25.182, also
make sure you have iface0 defined with STORAGE_INTERFACES in eucalyptus.conf
configuration file on the NC.
If you have no problem attaching a volume with a single path, the failure may be due to the
incorrect state of the Linux device mapper multipathing tool. Check if the multipathd service
is running on the NC hosts and if /etc/multipath.conf is installed and configured properly
(for example, copy the example configuration provided by Eucalyptus). Remember to set
user_friendly_names to yes in /etc/multipath.conf. You can try restarting multipathd
and/or reloading /etc/multipath.conf if you changed it previously. Run multipath -ll on
NC host and see if it returns reasonable output without any error.
Check that the PARTITION.storage.ncpaths configuration file entries are correct. A typo
can cause volume attach failures.
Make sure that the networking configuration is correct for the NC hosts. If you set the paths
without specific ifaces, check to see if you can connect to each IP in the path using default
network interface; otherwise, check each paths connectivity using a specific network interface.
Check network connectivity with all of the configured paths.
Check the nc.log log file for the string connect_iscsitarget. Examine the return results,
especially the stderr output.
Not all paths are Sometimes when you run multipath -ll on NC hosts after attaching a volume, you find that the
connected multipath device does not have all of the paths connected. In this case, the problem could be due
to one of the following:
There is a mistake in the paths in one of the PARTITION.storage.ncpaths entries. If one of
the paths specified in the system property is wrong, then it is possible that the specific path
can not be connected. Make sure you have all the paths specified correctly.
The missing paths are not valid networking paths, or have networking issues. For example,
when you ignore the iface part of a path, are you sure that the destination of the path (the IP
part of the path) can be connected via the default network interface? Or if you specified the
iface, are you sure you defined the iface in the eucalyptus.conf configuration file, and that
the destination can be connected with the specified network interface?
If the paths specified are all valid, but some of them do not have connectivity, try to ping each
of the specified paths on the NC hosts to check for connectivity. If there are connectivity issues,
contact your network administrator.
Snapshotting The Eucalyptus Storage Controller needs to attach a volume on the machine it runs so it can upload
failed to Walrus during an EC2 snapshot call. To help ensure maximum reliability for snapshotting, you
should use multipathing for the SC host; this is configured with the PARTITION.storage.scpaths
system property. When multipathing is enabled for the SC, if you see a snapshot failure, it may
be caused by multipathing. Techniques for diagnosing SC multipathing failures is similar to those
used for NC multipathing failures. In the case of SC multipathing failures, the logs are in
/var/log/eucalyptus/cloud-*.log, not nc.log, since the iSCSI connect scripts are invoked by
Java code.
Note: The following configuration options are a subset of the Netapp SAN configuration parameters. Changing
these default values may cause storage operations to fail. Please proceed at your own risk. For more information
on NetApp configuration, please refer to the NetApp Data ONTAP 7G documentation and the NetApp Data
ONTAP 8G documentation (these links require you to register and login).
<region>.storage.dedupschedule Schedule string for the dedup and or Default value: n/a
compression operation on flex
volumes.
<region>.storage.enablededup
must be true before configuring the
schedule. If the schedule is not
configured, NetApp applies a default
schedule to the flex volume. In
Cluster-Mode, either the schedule or
the policy can be configured for the
flex volume. Both cannot be
configured together. The format of the
schedule string is:
day_list@hour_list or
hour_list@day_list or - or auto.
day_list specifies which days of the
week the sis operation should run. It is
a comma-separated list of the first three
letters of the day: sun, mon, tue, wed,
thu, fri, sat. Day ranges such as mon-fri
can also be used. hour_list specifies
which hours of the day the sis
operation should run on each scheduled
day. hour_list is a comma-separated
list of the integers from 0 to 23. Hour
ranges such as 8-17 are allowed. Step
values can be used in conjunction with
ranges. If - is specified, no schedule
is set. The auto schedule string
means the sis operation will be
triggered by the amount of new data
written to the volume.
<region>.storage.lunostype The operating system of the host Default value: linux
accessing the LUN. This determines
Valid values: solaris,
the layout of the data on the LUN, the
Solaris_efi, windows,
geometry used to access that data, and
windows_gpt, windows_2008,
property offsets for the LUN to ensure
hpux, aix, linux, netware,
it is properly aligned with the upper
vmware, xen, or hyper_v
layers of the file system
<region>.storage.initiatorostype Operating system type of the Default value: linux
hypervisor hosting the instances.
Valid values: solaris, windows,
hpux, aix, linux, netware,
vmware, xen, or hyper_v
7-Mode Properties
The following properties are specific to 7-mode:
Index
A cloud (continued)
storage volumes 17
access 27, 4546 best practices 17
IAM 27 synchronizing clocks 13
types of 27 timestamp expiration 13
use case 4546 vSphere 12
access tasks 44, 4760 working with 12
accounts 4749 cloud tasks 1923
add an account 47 add a Node Controller 21
approve an account 48 evacuate a Node Controller 21
delete an account 49 inspect system health 19
list all 49 list arbitrators 20
reject an account 48 list of 19
rename an account 48 migrate instances 21
credentials 5859 remove a Node Controller 22
generate 58 restart Eucalyptus 22
get administrator credentials 59 shut down Eucalyptus 23
retrieve existing 58 view user resources 20
upload a certificate 59 configuration 74
groups 5053 iptables 74
add a policy 51 configuring 100
create a group 50 credentials 28
delete a group 53
list all 52
list policies 53
E
modify a group 51 Eucalyptus 5
remove user 52 accessing 5
LDAP/AD 59 CLI 5
synchronize 59 Eucalyptus Administrator Console 5
LIC file 5960 overview 5
start 59
upload 60
list of 44 I
users 5457
image tasks 18
add a user 54
caching 18
add a user to group 55
create login profile 55
delete a user 57 S
list all 57
modify a user 56 SSL 71
account 28 Admin Console 71
create 28
T
C
troubleshooting 101
cloud 9, 1214, 17 multipathing 101
best practices 12, 14
high availability in 14 U
overview 9
securing 13 user identities 27